 Yeah, so welcome everyone. I'm Martin Pitts. I'm the current shepherd of Red Hat's cockpit team And today I want to show you how you can embed cockpit into your larger computing environment So first of all, I hope that most people in the room will already have seen cockpit But just in case you didn't just a super super quick intro. So conceptually Cockpit is a Linux session that runs in a rep browser as opposed to SSH session running in a terminal GNOME session running on a graphics card. This exposes your server onto a rep browser and So it's a tool for experimenting for learning for troubleshooting and for doing infrequent tasks for example You could spend like if you add a new physical volume to your LVM about once a year You can spend like an hour of going to the main pages and trying to come up with this And of course, you see there's lots of opportunity to screw up and make typos and stuff Or you can log into cockpit. I Mean I've I hope that everyone has seen it before So we go to the storage page we go to our LVM and We want to add a new PV that gives me a list of available ones. There's not too many to choose from and I can just click around and grow this and it's fairly safe. Let's just give it the whole thing doesn't matter and So this also makes cockpit accessible to people who are not familiar with all the windows concepts But so aside from making the Linux accessible to more people it also makes it accessible to many more places that Traditional SSH based approaches don't reach to for example. I mean Here's a classic Windows 10 standard installation like nothing else. I can open edge I have cockpit in that thing. It looks exactly like what you would expect and Without any further software on that servers. I can open a terminal in cockpit and Like around well, of course, I do typos because so many people are watching but you get the idea So no extra software So how do we get out of here and likewise and there's also mobile devices these days So of course, I'm not going to show my phone here. It's too small But we made a lot of effort of making cockpit accessible on mobile devices and small screen format So you see that's the storage page that you say so early on I mean, it might be not look great, but I mean, it's useful. So there is administration in your pocket and All of that works with pretty much zero configuration on your server aside from Possibly installing the cockpit package some distributions installed it by default and then enabling the the cockpit socket type And there it is But wait pity you say I mean, this is all fine and good But I mean, I don't really want to install like 10,000 web servers on my 10,000 machines and in large environments that might be impractical you might not even be allowed to install a new system service and open in your port and Maybe you don't even have a password so type into the login page So I want to give you a glimpse of how to customize cockpits these kind of environments and how to Authenticate to it in other ways For those you need to for configuring and standing and embedding cockpit You need to coarsely understand its components so that you know what the different things do so that you can plug Them together in a different way and understand what they do So what I've just shown you here with my little demo was the default structure So this is probably what you see when you use cockpit the first time So essentially everything is running on one machine So first of all all components in cockpit they communicate communicate to each other with a standard JSON protocol on simple pipelines So usually started in and standard out And this provides a lot of flexibility and customizability as we will see shortly So first of all At the beginning of the chain is the browser these browsers. They only speak HTTP and web socket So none of the things that we usually need when we want to administer Linux machine and its API's So we always need some kind of web server somewhere and That's called a corporate WS at the top. So this is where the HTTPS requests land So the purpose of the web server is first to collect some credentials from the user That can be by providing a login page and collect the password as you saw But it can also do a lot of different things like it could Negotiate a cover or session with with the server and the client or it can ask the client for client certificate The TLS certificate that's commonly provided by smart cards and stuff Or like something else which we will see and then after that, of course the web servers task is to deliver the HTML Then JavaScript contents to the browser. So that you actually see something and Yeah, so this web server one is an unprivileged system user. So it by itself. It cannot really do anything to the system and This is why We need some helper to actually start a session like once we have some credentials. We need to start a PEM session you need root for that and So our standard component that you saw before this is called cockpit session This is a very small and auditable and said you are your root helper Which essentially collects the credentials that the web server picked up and then stuff that into the PEM stack And if all goes well, you have a Linux session and then it's essentially transitions over to the session lead of the Linux session And essentially disappears and then of course it for what's this JSON pipe that I spoke earlier from the web server to the new session And finally what's happening in the session the first Process in that session the session lead is called cockpit bridge So you can think about this as the moral equivalent of what the bash is to an SSH session So it's the thing that That launches all the actions that you actually want to do So on its top end it talks that Jason protocol that the JavaScript drives and on the other side it can Do all the things that you need to to talk to Linux services like open files Open D bus connections pick up the bus signals open sockets and all of the things that we use to implement pages like the storage storage page and of course that is a very complex program. It does a lot of things, but on the other hand, it's Relatively uncritical because they're just months in the Unix and the user session without any special privileges So anything which you can do in an SSH session cockpit bridge can do no more no less But so here's the first thing the web server and the the login session they don't really need to run on the same machine So this is where it becomes interesting So the most obvious replacement of this cockpit session thing that we saw earlier is as a sage because if you think about it It does exactly the same thing structurally it takes some credentials It for what's it's inside in the standard output to remote thing and start the session there and you can do this So if we have let's go back into desktop mode So we can talk to a remote machine here. Let's add a new one. So, okay I've never seen that machine. Of course, I trust it So for simplicity, I'm just using normal user and password here. Of course, you can use an SSH key as well and here we have a new server and And you see that the front page here looks a little different because this is like a row seven machine It runs an older cockpit. So and the front page was just different So for this purposes, it just tells you that this is actually the remote machine that we talked to But otherwise, I mean it feels pretty much the same as we saw earlier, right? But this now has an interesting property because on this cockpit or death machine There is nothing cockpit specific running on the system. No web server. No extra open port The only thing is the cockpit bridge thing, but as I already told you that's rather uninteresting from a service management and also from a security point of view because that's just a random program in the session and You can put this principle to the max if you're completely disabled the local sessions with cockpit session So we call that a bastion house So you pick one random computer in your network to be the corporate web server This could even run in a container if you want to so because as I said, this doesn't have a lot of privileges It does just needs to open the port and call SSH and Then completely disabled local logins so that all the machines that you administer they are not influenced by this web server thing So let's show that Of course if you use a real bastion host this looks a little nicer, but Every cockpit installation can do this by default with this connect to option. So let's use the same machine admin super secret password and There we go. So this is now The entire session is not running on this remote machine, you notice it looks a little different here So this one now says by the enterprise in the server before that it said the Dora because that was my local one and Again, we see that the information here is from the remote system Okay, so cockpit supports a lot of other authentication setups by default which are common like in larger environments like Identity management is very common So you normally get a cover us ticket when you log into your like desktop session or even Windows machine And then cockpit can use that cover us ticket to get your single sign on So if you go to a locker to server colon 1990 you will immediately get a session as your user Without any further login page. Of course, you need to enable this in IDM, but you support that and browsers can also ask for TLS certificates like you have a smart card reader and you want to authenticate with this latest cockpit versions can also use that if you enable it and Hmm and A rather interesting case is for me. So this shows how you can embed cockpit into a different web application So in recent versions they grew a web console button and that shows a very interesting seamless transition between Two different authentication domains. Let me show you how that looks like So this is for men so normally this is being used to maintain like hundreds of thousands of hosts So you can select one and then you see this little web console button here and If you press it like it does its little authentication thingy And you are immediately in that machine where you want to be and everything works like the terminal You are the root user and that works because form and already has SSH to all these target machines so What that does is like for and if you notice the URL that's form and that's nothing cockpit or 1990 So how form and does that is it uses a little cockpit WS Container or process or something and puts itself as a reverse proxy on top of that So that everything appears as the form and thing and you don't need an extra port and it uses a custom authentication helper so that Just cockpit can just directly authenticate to form it This is so that you don't Circumvent like the reverse proxy and just get a SSH session for free But yeah, I mean I would like to show all of this But it wouldn't fit into like three minutes that I have or so and also I guess you would probably immediately forget the details again So suffice it to say like this this whole authentication set up is very Powerful and you should keep it in the back of your mind that if you want to do such a thing There is previous the pre or prior art for this and it's possible Hmm So but what I do still want to show you is kind of the opposite So when I told you that you can replace this corporate session helper with anything this includes the possibility of literally nothing and Due to the common Jason protocol. We are not bound to this rigid structure. We can also Connect and our corporate web server directly to the bridge like what we usually run in the sessions now Why would we want to do this? Like take a step back what I've just shown you before I was logging into my browser into my own machine with my own credentials But actually this kind of stupid because I already have a running desktop session, which knows who I am so What we could do is as as a first idea we turn the whole thing upside down and instead of the web server launching a session We have an existing session and run the corporate web server in that then as myself so Let's see how that how that works. That's my shell here So that's the command that I show you so I start a web server as my own user on port 9 9 9 9 Don't need that and Voila, I have a session as myself. This is the the policy kit prompt. It's in German So as you know, you can I have copied into different modes like an administrative mode or not So for now, we just say no, then I get like a kind of a read-only session and Yeah, this is my session, but hopefully now All of you have some alarm bells coming on because what did I just do like I exposed my session to a public Port on the network here, right? So I hope nobody took advantage by off of that by now Let me shut it down Ha ha too slow, but yeah So of course, obviously we cannot use that because that's I might got horribly insecure, but still this idea seems attractive, right? I mean What can we do to salvage this? Linux to the rescue So what we can do is we put a little network namespace around the browser and the corporate web server and thus we completely Isolate this pair from the whole outside world So the corporate WS can open as many ports as it wants And then the only thing that can happen with that is that this little browser can talk to it and nothing else and And Yeah, and then of course we can do some more work to isolate the browser chrome so that you don't have the L bar and Other buttons to it because there would be quite useless in such a setup I mean, there's only one place in the universe where you can get to And yeah, we did that we provided a little cockpit desktop script, which essentially does all that like create the namespace start a browser and For getting rid of the chrome you can use webkit if it's available and this then looks like this so Let's make this a little wider so that we don't get mobile mode. Oh What happened right and so here we have Cockpit again, but this time with a insecure fashion because from the outside world there is no pork 999 9 And this already starts to look like reasonably decent, right? So we can make this a little even more tasteful if we hide away like all this Menu here that is like not really relevant on the desktop So we can show only a single frame like the storage page that I was showing you early on Yeah, and now I mean this starts to look like like a desktop app, right? So it's kind of electron without electron. So if for some reason you don't like known disks or you cannot use it then This might be a use case in some environments or if you need a UI to manage podman containers Then well use caught man install cockpit podman and there are your containers on your desktop without any extra authentication theft So cockpit desktop is a relatively small self script So feel free to poke around with it investigate it or the dust and play around with it And just imagine of course you can combine this with SSH and all the things that I've shown you earlier so So once about you know about this structure You can pretty much freely combine all these SSH and web servers and reverse proxies and custom authentication helpers To embed cockpit into the places where you wanted to Okay, so as a conclusion Oops Yeah, so cockpit provides a set of standard authentication protocols. I've only shown you the most simple ones here that are being used in today's modern like computing deployments and Yeah, it's you can do to the like the flexibility of the components you can pretty much plug them in together in the way that you need so and if you want to talk to us here is where you can find us on our see we have a mailing list and There is our home page and of course all the code that I've shown here. It's available somewhere So and we have five minutes for questions. Thanks for your attention Oh, yeah, great. Well, I guess everyone's just slumbering because it's really the bad time in the afternoon Okay, great, then Let's say if you want to Volume groups like the volume is whatever As a regular user, I'm not allowed to do so. So if I'm logging in as a regular user with the proper pseudo words rules in place of the So the question was like if I have pseudo privileges, can I Can I use corporate for those as well? And yeah, of course so This is right now, this is what this box is for so if you check this that essentially means it will Reuse your password to authenticate the pseudo and then I can actually do these things. I mean, I've shown you with a storage page I mean, I did the LVM thing and Maybe your question was if you have specific pseudo rules. Yes. So That doesn't work right now because we run all the administrative commands to Like a root cockpit bridge. So in the cockpit bridge then starts pseudo cockpit bridge essentially and if that succeeds Then this is a channel which runs all the administrative commands So then we have some examples which use pocket rules like on the firewall pages But we are not currently making a lot of use for that. But of course, that's every pages decision So but this is currently the Like pretty a pretty deeply into the cockpit architecture that we don't run pseudo all the time But we try and do it once Also because it's pretty hard to to get like immediate feedback like to say instead of your system changes We immediately want the cockpit page to reflect that and if you're not sort of all the time Then it's essentially impossible to get that. So Does it answer your question? Yes? Okay So So question was if two factor authentication works with cockpit so on the login page this one It totally works because that's just reflecting the PAM stack and if you have like Google authenticator or something Then this will just ask you for it But you are right that if pseudo wants to do this this doesn't currently work This is on our roadmap. We in fact just talked about it three days ago So we have an idea how to fix this and the fact is this tech box will go away entirely because it's too confusing and it's Kind of just static. So we are going to replace it with a more dynamic Kind of become pseudo drop pseudo button in the UI so that it also worked with SSL and such but yeah So this is a weakness and we are working on it Okay Can you talk about the other options struck down? What else is there well right now, there's only the other host. So this is what I've shown you with the Bastion host so options is kind of sort of a lie So, yeah That's right, maybe there was another option in the past I Well, you wouldn't see So Question was like if the client certificate authentication would be here Well, the thing is the login page you only really see this when you do ask do use password authentication like with SSO with smart card authentication with And and progress and so on like you never see this you get straight into the DIY So this is why we don't actually want to put a lot of things here So this is mostly for Bastion host and password But most of this is also why we want to move the pseudo thing because you would never see it in these cases and it's kind of bad Okay, thanks a lot